Trouble getting pfsense + openvpn + edgerouter-x working

  • Been banging my head against a wall for a few days now attempting to set up a pfSense instance in a dell r210ii recently acquired. Goal is to run all traffic on home network through the pfSense box, with certain VLANs routing out to the vpn and some to the clearnet gateway.

    I've largely followed:

    I've checked and triple checked my configurations on pfSense and er-x.

    ISP is ATT U-Verse with a Pace 5268ac rox that only supports a "DMZ+" mode which is basically bridging.

    Using OpenVPN to connect to AirVPN and that connection is showing all green.

    Using the ER-X as a managed, vlan-aware switch behind the pfSense box, which is behind the ATT box(need ATT box to get service).

    I can not get any internet connectivity on the VPN interface (vlan 20).
    At points, connectivity has been present for clearnet(vlan30), but it has been inconsistent.
    I suspect that the issue is somewhere in my NAT rules, or the ATT box is a POS and is ruining all my hopes and dreams.

    Thanks for help in advance

    WAN Firewall rules

    LAN Firewall

    VLAN 20 VPN Firewall rules

    VLAN 30 Clearnet rules

    VPN_WAN interface firewall rules


    EdgeRouter-X Config:

  • Netgate Administrator

    Your pfSense config looks OK, at least the parts we can see. Your DNS setup there may not be good be you should be able to ping out by IP at least from the VLAN subnet.

    I'd have to guess your edge router config is bad but it's the first time I'm ever looking at one.
    What exactly is it supposed to be doing? How is it connected?


  • @stephenw10 I neglected to mention that I am able to ping out, dns is fine it seems.

    The edgerouter should be acting as a vlan aware switch, from what I've seen this is possible with the erx.

    Eth 1,2,3,4 should be configured as a part of switch 0. Leaving eth0 for connecting for confirmation for now.

    Eth1 - trunk to pfsense box
    Eth2 - hardwired VPN (vlan 20) port
    Eth3 - hardwired clearnet port (vlan 3)
    Eth4 will be going to an access point, but have not set that up yet.

    It's quite possible that the erx is the issue, the configuration is a little weird for me.

    Anything on eth2 from the client machine should be tagged as vlan20, same for vlan 30 and eth3.

  • Netgate Administrator

    Hmm, well reading this it does appear to be correct at least in terms of the VLAN config.

    Do you have DHCP enabled on those interfaces in pfSense? And are clients connected to the edgerouter pulling an IP in the correct subnet? If so the VLAN setup is probably correct.

    In which case can we see your outbound NAT rules?


  • @stephenw10 Yup, dhcp is good, clients get an ip in the correct subnet.

    Here's the outbound NAT:

    Starting to think I need to just bypass this ATT box...

  • Netgate Administrator

    Hmm, OK. That should work.

    I'd probably run some packet captures on WAN the OpenVPN interface when trying to ping out to IPs that shoulkd be reachable over each from VLAN 20. See what traffic is actually going where and what replies, if any, are returning.


Log in to reply